Note on the structure of articles

From International cyber law: interactive toolkit
Jump to navigation Jump to search

The structure of articles[edit | edit source]

The core of this toolkit consists of international cyber law scenarios. Each scenario describes an incident, or a series thereof, and then analyses these from the perspective of international cyber law. The central question of the legal analysis section is the following: Do the incidents described in the scenario amount to a violation of international law by any of the relevant actors? In order to answer that question, the section is typically divided into three main parts: (1) attribution, (2) breach, and (3) responses and justifications. Occasionally, one or even two of these parts may be missing, depending on which issues are raised by a particular scenario.

This structure broadly follows the logic of the law of international responsibility. According to this logic, an entity—most commonly, but not exclusively, a State[1]—is only responsible for an internationally wrongful act if three conditions are met simultaneously: firstly, there is an action or omission which is attributable to the entity in question; secondly, that action or omission constitutes a breach of an international obligation of the said entity; and thirdly, there are no circumstances that would preclude the wrongfulness of such an action or omission.[2] As far as the responsibility of States is concerned, the relevant rules are codified in the International Law Commission’s Articles on State Responsibility,[3] which are generally considered to reflect customary international law.[4]

The remainder of this note explains the basics of the relevant law from the perspective of its application to cyber operations of the kind discussed in the present toolkit. Its aim is to assist the readers in understanding the structure used in the analysis of the individual scenarios while avoiding unnecessary repetition in the text of those scenarios.

Attribution[edit | edit source]

The conduct of the actors in the scenario must be attributable to an entity that bears the relevant obligation under international law.[5] For the most part, international law regulates the conduct of States, and therefore the section on attribution typical considers whether the relevant conduct is imputable to any of the States mentioned in the scenario. To the extent that non-State actors (such as international organizations, private companies or organized armed groups) bear specific legal obligations under international law, this is highlighted in the text and if attribution of specific conduct to such entities poses particular problems, this is also considered in the same section.

As far as attribution of conduct to States is concerned, it is useful to distinguish between, on the one hand, the conduct of State organs or in exercise of governmental authority and, on the other hand, the conduct of non-State actors:[6]

State organs and persons and entities in exercise of governmental authority
The following types of conduct of State organs and persons and entities in exercise of governmental authority are attributable to a State:
  1. The conduct of any of the organs of that State, "whether the organ exercises legislative, executive, judicial or any other functions, whatever position it holds in the organization of the State, and whatever its character as an organ of the central Government or of a territorial unit of the State";[7]
  2. The conduct of an organ of another State placed at the disposal of the State in question, if "the organ is acting in the exercise of elements of the governmental authority" of the latter State;[8]
  3. The conduct of "a person or entity which is not an organ of the State […] but which is empowered by the law of that State to exercise elements of the governmental authority, […] provided the person or entity is acting in that capacity in the particular instance."[9]

Such conduct is attributable to the State even if the organ, person or entity acting in that capacity "exceeds its authority or contravenes instructions" (acts ultra vires).[10]

Non-State actors
Activities of non-State actors (groups and individuals) are generally not attributable to States. However, such conduct can be attributable to a State in particular if the actor is:
  1. "in fact acting on the instructions of, or under the direction or control of, that State in carrying out the conduct";[11]
  2. "in fact exercising elements of the governmental authority in the absence or default of the official authorities and in circumstances such as to call for the exercise of those elements of authority";[12]
  3. "an insurrectional movement which becomes the new Government of a State";[13] or
  4. "a movement, insurrectional or other, which succeeds in establishing a new State in part of the territory of a pre-existing State or in a territory under its administration".[14]


  1. the conduct of a non-State actor is attributable to a State "if and to the extent that the State acknowledges and adopts the conduct in question as its own".[15]

The details of the individual modes of attribution are considered in the specific scenarios. In some cases, the aspect of evidence is considered:

Evidentiary standards
Evidentiary standards applicable to the attribution of cyber activities are context-dependent.[16] The law of State responsibility as such does not contain generally applicable burdens, standards, or methods of proof,[17] and these matters are instead ordinarily determined by the relevant forum.[18]

However, in case a State is considering a response to an internationally wrongful act, the standard of attribution is that of "reasonableness", i.e. "States must act as reasonable States would in the same or similar circumstances when considering responses to them."[19] This depends, among other factors, on the "reliability, quantum, directness, nature (e.g., technical data, human intelligence), and specificity of the relevant available information when considered in light of the attendant circumstances and the importance of the right involved."[20] Nevertheless, there is no obligation to publicly provide the evidence.[21]

Specific rules may apply to some responses, so when State A responds with countermeasures after misattributing an internationally wrongful act to State B, it commits an internationally wrongful act of its own, even though it correctly applied the "reasonableness" standard of attribution.[22]

Breach[edit | edit source]

Breach of an international obligation
Breach of an international obligation.svg
The second element of an internationally wrongful act is conduct amounting to a breach of an international obligation owed by the relevant entity.[23] In this regard, it is undisputed that a cyber-related action or omission by a State may constitute a breach of its international obligations.[24] International obligations arise from primary rules of international law:[25] international treaties, customary international law, and general principles of law.[26] Fault, such as intent or negligence on part of the wrongdoing State, is not a necessary element of a breach of an international obligation, unless there exists such a requirement in the relevant primary rule.[27] Similarly, there is no general requirement for the injured party to have suffered any damage—again, unless such a requirement forms part of the primary obligation in question.[28]

It is impossible to provide a list of all international obligations that may be violated by resort to cyber means. However, certain rules appear with higher frequency than others. These include the prohibition on the use of force; the prohibition of intervention; the obligation to respect the sovereignty of other States; the obligation to respect the right to privacy; the obligation of due diligence; and a few others (such as, for instance, the rule of distinction in the context of the law of armed conflict).

Although the application of these rules to the particular facts is the task of the individual scenarios, the toolkit contains an overview of each of these rules from the perspective of cyber-related activities. These overviews provided in collapsible sections within the individual scenarios and they can also be accessed directly at the links above or through the general List of articles.

Responses and justifications[edit | edit source]

Circumstances precluding wrongfulness
Circumstances precluding wrongfulness.svg
A specific cyber-relation action or omission will only constitute an internationally wrongful act in the absence of circumstances precluding its wrongfulness.[29]

The wrongfulness of specific conduct is precluded if one of the following conditions is met:

  1. the State affected by that conduct gives its valid consent to the commission of the relevant act, as long as the act remains within the limits of that consent;[30]
  2. the conduct of the acting State qualifies as a lawful measure of self-defence taken in conformity with the UN Charter;[31]
  3. the conduct of the acting State constitutes a lawful countermeasure taken against another State;[32]
  4. the conduct of the acting State is justified by the existence of a situation of force majeure;[33]
  5. owing to a situation of distress, the acting person has no other reasonable way of saving their own life or the lives of other persons entrusted to their care;[34]
  6. the conduct of the acting State is the only way for the State to safeguard an essential interest against a grave and imminent peril (also referred to as acting under the “plea of necessity”).[35]

Some of the generally accepted circumstances precluding wrongfulness are responsive in nature, in the sense that they allow the relevant actor to claim that it is responding to a prior act of another entity or to a previously existing situation and that it is the fact of acting in response which justifies the lawfulness of the conduct in question. Accordingly, the scope of the third part of the legal analysis section is broader than a mere consideration of the applicable circumstances precluding wrongfulness. On occasion, other available responses (such as retorsions or responses authorized by the municipal law of the acting State) are also discussed, even if these do not serve to shield the acting entity from international responsibility.

An act of retorsion is “an unfriendly but nevertheless lawful act by the aggrieved party against the wrongdoer”.[36] Such acts may include the prohibition of or limitations upon normal diplomatic relations, the imposition of trade embargoes or the withdrawal of voluntary aid programmes.[37] Cyber-specific retorsions may include sending warnings to cyber operatives belonging to another State, observing the adversary’s cyber activities on one’s own network using tools such as “honeypots”, or slowing down malicious cyber operations conducted by other States.[38]

Publicly available national positions that address this issue include: National position of Estonia (2021) (2021), National position of Germany (2021) (2021), National position of the Netherlands (2019) (2019), National position of New Zealand (2020) (2020), National position of Norway (2021) (2021), National position of Singapore (2021) (2021), National position of Switzerland (2021) (2021), National position of the United Kingdom (2022) (2022), National position of the United States of America (2016) (2016), National position of the United States of America (2021) (2021).

Other responses may be available on the facts of the individual scenarios and are discussed there if appropriate.

Appendixes[edit | edit source]

See also[edit | edit source]

Notes and references[edit | edit source]

  1. Cf. J Crawford, ‘The System of International Responsibility’ in J Crawford, A Pellet and S Olleson (eds), The Law of International Responsibility (OUP 2010) 17–18 (noting that although the “burden of compliance principally lies” on States, all international legal persons are subject to the system of international responsibility).
  2. It should be noted that the second and the third condition are frequently considered together. For practical reasons, the toolkit analyses each of them separately, as some authors have also done in the past: see, eg, J Crawford and S Olleson, ‘The Nature and Forms of International Responsibility’ in M Evans (ed), International Law (4th edn, OUP 2014) 453 (referring to “[t]hree elements”, namely “attribution, breach, and the absence of any valid justification for non-performance”). However, it is conceded that the (non-)existence of circumstances precluding wrongfulness may be viewed as a sub-element of breach: in other words, the circumstances, when they are validly invoked, exclude that the relevant conduct constitutes a breach of a given international obligation. FI Paddeu, “Circumstances Precluding Wrongfulness” in R Wolfrum (ed), Max Planck Encyclopedia of Public International Law (OUP 2008-) (last updated September 2014), para. 4.
  3. Articles on State Responsibility.
  4. See, eg, Noble Ventures v Romania (12 October 2005) ICSID Case No ARB/01/11, para. 69 (noting that the Articles “are widely regarded as a codification of customary international law”); Tallinn Manual 2.0, commentary to Chapter 4, section 1, para. 1 (noting that the International Group of Experts agreed that, with a few exceptions, the Articles “replicate customary international law”).
  5. Cf. Articles on State Responsibility, Art. 2(a).
  6. Cf. B Stern, “The Elements of an Internationally Wrongful Act”, in J Crawford, A Pellet and S Olleson (eds), The Law of International Responsibility (OUP 2010) 203–08 (distinguishing between “[o]rgans of the State and persons or entities exercising elements of governmental authority” and “[p]ersons and entities acting on behalf of the State”).
  7. ILC Articles on State Responsibility, Art 4(1).
  8. ILC Articles on State Responsibility, Art 6.
  9. ILC Articles on State Responsibility, Art 5.
  10. ILC Articles on State Responsibility, Art 7; Tallinn Manual 2.0, commentary to rule 15, paras. 6-7 and 12.
  11. ILC Articles on State Responsibility, Art 8; see also Kubo Mačák, ‘Decoding Article 8 of the International Law Commission’s Articles on State Responsibility: Attribution of Cyber Operations by Non-State Actors’ (2016) 21 JC&SL 405.
  12. ILC Articles on State Responsibility, Art 9.
  13. ILC Articles on State Responsibility, Art 10(1).
  14. ILC Articles on State Responsibility, Art 10(2).
  15. ILC Articles on State Responsibility, Art 11.
  16. See further Marco Roscini, ‘Evidentiary Issues in International Disputes Related to State Responsibility for Cyber Operations’ (2015) 50 Texas International Law Journal 233; Isabella Brunner, Marija Dobrić and Verena Pirker, ‘Proving a State’s Involvement in a Cyber-Attack: Evidentiary Standards Before the ICJ’ (2015) 25 Finnish Yearbook of International Law 75; Tomohiro Mikanagi and Kubo Mačák, ‘Attribution of Cyber Operations: An International Law Perspective on the Park Jin Hyok case’ (2020) 9 Cambridge International Law Journal 51, 64-68.
  17. ILC Articles on State Responsibility, commentary to chapter III, para 4 ("Questions of evidence and proof of such a breach fall entirely outside the scope of the articles."); ibid, commentary to Art 19, para 8 ("Just as the articles do not deal with questions of the jurisdiction of courts or tribunals, so they do not deal with issues of evidence or the burden of proof.").
  18. Tallinn Manual 2.0, Chapter 4 Section 1, para 8.
  19. Tallinn Manual 2.0, Chapter 4 Section 1, para 10; Cf. Yeager v Islamic Republic of Iran (1987) 17 Iran-US CTR 92, 101–02 (‘[I]n order to attribute an act to the State, it is necessary to identify with reasonable certainty the actors and their association with the State.’).
  20. Tallinn Manual 2.0, Chapter 4 Section 1, para 10.
  21. According to the UK Attorney General, "[t]here is no legal obligation requiring a state to publicly disclose the underlying information on which its decision to attribute hostile activity is based, or to publicly attribute hostile cyber activity that it has suffered in all circumstances." (UK Attorney General, Jeremy Wright QC MP, 'Cyber and International Law in the 21st Century'; see also Tallinn Manual 2.0, Chapter 4 Section 1 chapeau, para 13.
  22. Tallinn Manual 2.0, Chapter 4 Section 1, para 12; see also ILC Articles on State Responsibility, Art 49 para 3 (“A State taking countermeasures acts at its peril, if its view of the question of wrongfulness turns out not to be well founded.”)
  23. Cf. ILC Articles on State Responsibility, Art. 2(b).
  24. For a detailed discussion of a breach of an international obligation by a cyber-related act, see rule 14 of Tallinn Manual 2.0 and commentary 2–11 thereto.
  25. ILC Articles on State Responsibility, General commentary, para 1.
  26. Statute of the International Court of Justice, of 26 June 1945, annexed to the UN Charter, Art 38(1)(a)–(c).
  27. ILC Articles on State Responsibility, Art. 2, para 10.
  28. ILC Articles on State Responsibility, Art. 2, para 9.
  29. Cf. ILC Articles on State Responsibility, commentary to Part One, chapter V, para 1 (“The existence in a given case of a circumstance precluding wrongfulness ... provides a shield against an otherwise well-founded claim for the breach of an international obligation”).
  30. ILC Articles on State Responsibility, Art 20.
  31. ILC Articles on State Responsibility, Art 21.
  32. ILC Articles on State Responsibility, Arts 22 and 49–54.
  33. ILC Articles on State Responsibility, Art 23.
  34. ILC Articles on State Responsibility, Art 24.
  35. ILC Articles on State Responsibility, Art 25.
  36. E Zoller, Peacetime Unilateral Remedies: An Analysis of Countermeasures (Transnational 1984) 5.
  37. Articles on State Responsibility, commentary to Part Three, Chapter II, para. 3.
  38. Jeff Kosseff, ‘Retorsion as a Response to Ongoing Cyber Operations’ in Taťána Jančárková et al (eds), 20/20 Vision: The Next Decade (CCD COE 2020) 17–22.

Bibliography and further reading[edit | edit source]

  • MN Schmitt (ed), Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations (CUP 2017)
  • etc.